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Protection of EU Personal Data in Salesforce's Services 


Trust is the #1 value at Salesforce and we maintain a comprehensive set of security and compliance certifications and 
attestations. Salesforce customers can use our Services, protect their data, and comply with EU law by relying on our 
industry-leading legal and technical frameworks and safeguards. We provide a comprehensive privacy program, 
including resources that document our compliance and help our customers on their own privacy journeys. 


We offer industry-leading technical and organizational measures to enable customers to maintain control of 
their data and who has access to it. We provide encryption of data in transit as standard as well as encryption of 
data at rest features. These include encryption key management options such as Bring Your Own Key (BYOK). An 
overview of the measures we have implemented can be found in the Security, Privacy and Architecture 
Documentation for our services, here. More information on data encryption at rest options is here. 


In addition to our proven technical and organizational measures, we offer the strongest contractual 
protections available for challenging government requests for data. 


e Data Processing Addendum (“DPA”). Salesforce’s DPA provides comprehensive and best-in-class 
protections for both our customers’ and their users’ data, including industry-leading protections around global 
government access requests in response to the European Court of Justice’s decision in Schrems II and the 
associated European Data Protection Board Recommendations for supplementing cross-border transfer 
mechanisms. 

e Binding Corporate Rules (“BCRs”). Salesforce’s BCRs have been approved by all EU data protection 
regulators, including our lead regulator, the French Commission nationale de l'Informatique et des libertes 
(“CNIL”), and contain specific protections from government requests for access to EU personal data (Section 
10). BCRs reflect the highest data protection standards in existence, have not been challenged in court, and 
remain a legally valid transfer mechanism. 

e Standard Contractual Clauses (“SCCs”). Salesforce’s DPA incorporates the latest set of SCCs for the 
transfer of personal data outside of Europe, which contain additional protections from government 
requests for access to EU personal data in response to Schrems II. More information is here. 


While data transfers continue to be legal between EU and non-EU countries, we recognise that some 
customers want to keep more of their data local. Many Salesforce services are delivered in data centres in the 
EU, which enables customers to store data on EU servers, and to minimize the amount of data transferred outside of 
the EU. Building on this strong residency offering, Salesforce’s Hyperforce EU Operating Zone will further allow 
customers to process and store their data in the EU, including keeping company data, search indexes, and encryption 
keys within the EU. 


Salesforce’s Transparency Report shows that it is rare for Salesforce to receive non-EU government 
requests for EU customer personal data. Due to the nature of our business, Salesforce generally does not 
process data that is of particular interest to U.S. or other non-EU law enforcement or intelligence services. 
Trust starts with transparency. Unless prohibited by law, Salesforce would always notify a customer if it were to 
receive a request for that customer’s Customer Data. This document explains the principles that Salesforce 
follows if we receive such a request. 


More information. For more on Salesforce’s commitment to privacy including our approach to government data 
requests, please visit compliance.salesforce.com and salesforce.com/privacy/overview/. You can also contact 
your Salesforce Account Executive to learn how we can help you accelerate your mission success. 


Disclaimer: The information provided in this document is strictly for the convenience of our customers and is for general informational purposes only. Salesforce does 
not warrant the accuracy or completeness of any information, text, graphics, links or other items contained within this document. It may be advisable for you to consult 
with a professional such as a lawyer, accountant, architect, business advisor, or professional engineer to get specific advice that applies to your specific situation. This 
document is subject to change at any time without notice. The rights and responsibilities of the parties with regard to use of Salesforce’s online services shall be set 
forth solely in the applicable agreement executed by Salesforce. Customers should make their purchase decisions based upon features that are currently available. 
This information is subject to Salesforce’s Forward-Looking Statements at: https://investor.salesforce.com/about-us/investor/forward-looking-statements/. 
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